<!DOCTYPE html>
<html lang="en">
    <!-- title -->




<!-- keywords -->




<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no" >
    <meta name="author" content="m0nk3y">
    <meta name="renderer" content="webkit">
    <meta name="copyright" content="m0nk3y">
    
    <meta name="keywords" content="信息安全,CTF,攻防对抗,代码审计,安全研究,渗透测试">
    
    <meta name="description" content="">
    <meta name="description" content="[toc] 今天要回学校了，回学校也快考实验班了，我C 语言太菜，CTF 也很久没玩了。所以简单总结一下之前有遇到过的CTF 知识。慢慢补充细节和其他内容。 脚本题(python、php)快速计算并发起HTTP 请求快速处理数据在大量数据中获取指定内容php 伪随机数安全比较常见的就是seed 爆破。 https:&#x2F;&#x2F;www.anquanke.com&#x2F;post&#x2F;id&#x2F;215349 加密算法可破解X">
<meta property="og:type" content="article">
<meta property="og:title" content="CTF Tricks 总结">
<meta property="og:url" content="https://hack-for.fun/a4738b93.html">
<meta property="og:site_name" content="可惜没如果、m0nk3y‘s Blog">
<meta property="og:description" content="[toc] 今天要回学校了，回学校也快考实验班了，我C 语言太菜，CTF 也很久没玩了。所以简单总结一下之前有遇到过的CTF 知识。慢慢补充细节和其他内容。 脚本题(python、php)快速计算并发起HTTP 请求快速处理数据在大量数据中获取指定内容php 伪随机数安全比较常见的就是seed 爆破。 https:&#x2F;&#x2F;www.anquanke.com&#x2F;post&#x2F;id&#x2F;215349 加密算法可破解X">
<meta property="og:locale" content="en_US">
<meta property="article:published_time" content="2020-08-27T03:06:06.000Z">
<meta property="article:modified_time" content="2020-08-29T02:28:42.264Z">
<meta property="article:author" content="m0nk3y">
<meta property="article:tag" content="CTF">
<meta name="twitter:card" content="summary">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
    
    <title>CTF Tricks 总结 · m0nk3y&#39;s Blog</title>
    <style type="text/css">
    @font-face {
        font-family: 'Oswald-Regular';
        src: url("/font/Oswald-Regular.ttf");
    }

    body {
        margin: 0;
    }

    header,
    footer,
    .back-top,
    .sidebar,
    .container,
    .site-intro-meta,
    .toc-wrapper {
        display: none;
    }

    .site-intro {
        position: relative;
        z-index: 3;
        width: 100%;
        /* height: 50vh; */
        overflow: hidden;
    }

    .site-intro-placeholder {
        position: absolute;
        z-index: -2;
        top: 0;
        left: 0;
        width: calc(100% + 300px);
        height: 100%;
        background: repeating-linear-gradient(-45deg, #444 0, #444 80px, #333 80px, #333 160px);
        background-position: center center;
        transform: translate3d(-226px, 0, 0);
        animation: gradient-move 2.5s ease-out 0s infinite;
    }

    @keyframes gradient-move {
        0% {
            transform: translate3d(-226px, 0, 0);
        }
        100% {
            transform: translate3d(0, 0, 0);
        }
    }

</style>

    <link rel="preload" href= "/css/style.css?v=20180824" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    <link rel="stylesheet" href= "/css/mobile.css?v=20180824" media="(max-width: 980px)">
    
    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'" />
    
    <!-- /*! loadCSS. [c]2017 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/ -->
<script>
(function( w ){
	"use strict";
	// rel=preload support test
	if( !w.loadCSS ){
		w.loadCSS = function(){};
	}
	// define on the loadCSS obj
	var rp = loadCSS.relpreload = {};
	// rel=preload feature support test
	// runs once and returns a function for compat purposes
	rp.support = (function(){
		var ret;
		try {
			ret = w.document.createElement( "link" ).relList.supports( "preload" );
		} catch (e) {
			ret = false;
		}
		return function(){
			return ret;
		};
	})();

	// if preload isn't supported, get an asynchronous load by using a non-matching media attribute
	// then change that media back to its intended value on load
	rp.bindMediaToggle = function( link ){
		// remember existing media attr for ultimate state, or default to 'all'
		var finalMedia = link.media || "all";

		function enableStylesheet(){
			link.media = finalMedia;
		}

		// bind load handlers to enable media
		if( link.addEventListener ){
			link.addEventListener( "load", enableStylesheet );
		} else if( link.attachEvent ){
			link.attachEvent( "onload", enableStylesheet );
		}

		// Set rel and non-applicable media type to start an async request
		// note: timeout allows this to happen async to let rendering continue in IE
		setTimeout(function(){
			link.rel = "stylesheet";
			link.media = "only x";
		});
		// also enable media after 3 seconds,
		// which will catch very old browsers (android 2.x, old firefox) that don't support onload on link
		setTimeout( enableStylesheet, 3000 );
	};

	// loop through link elements in DOM
	rp.poly = function(){
		// double check this to prevent external calls from running
		if( rp.support() ){
			return;
		}
		var links = w.document.getElementsByTagName( "link" );
		for( var i = 0; i < links.length; i++ ){
			var link = links[ i ];
			// qualify links to those with rel=preload and as=style attrs
			if( link.rel === "preload" && link.getAttribute( "as" ) === "style" && !link.getAttribute( "data-loadcss" ) ){
				// prevent rerunning on link
				link.setAttribute( "data-loadcss", true );
				// bind listeners to toggle media back
				rp.bindMediaToggle( link );
			}
		}
	};

	// if unsupported, run the polyfill
	if( !rp.support() ){
		// run once at least
		rp.poly();

		// rerun poly on an interval until onload
		var run = w.setInterval( rp.poly, 500 );
		if( w.addEventListener ){
			w.addEventListener( "load", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		} else if( w.attachEvent ){
			w.attachEvent( "onload", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		}
	}


	// commonjs
	if( typeof exports !== "undefined" ){
		exports.loadCSS = loadCSS;
	}
	else {
		w.loadCSS = loadCSS;
	}
}( typeof global !== "undefined" ? global : this ) );
</script>

    <link rel="icon" href= "https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825203605.JPG" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js" as="script" />
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" as="script" />
    <link rel="preload" href="/scripts/main.js" as="script" />
    <link rel="preload" as="font" href="/font/Oswald-Regular.ttf" crossorigin>
    <link rel="preload" as="font" href="https://at.alicdn.com/t/font_327081_1dta1rlogw17zaor.woff" crossorigin>
    
    <!-- fancybox -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.js" defer></script>
    <!-- 百度统计  -->
    
    <!-- 谷歌统计  -->
    
<meta name="generator" content="Hexo 5.1.1"><link rel="alternate" href="/atom.xml" title="可惜没如果、m0nk3y‘s Blog" type="application/atom+xml">
</head>

    
        <body class="post-body">
    
    
<header class="header">

    <div class="read-progress"></div>
    <div class="header-sidebar-menu">&#xe775;</div>
    <!-- post页的toggle banner  -->
    
    <div class="banner">
            <div class="blog-title">
                <a href="/" >M0nk3y&#39;s Blog</a>
            </div>
            <div class="post-title">
                <a href="#" class="post-name">CTF Tricks 总结</a>
            </div>
    </div>
    
    <a class="home-link" href=/>M0nk3y's Blog</a>
</header>
    <div class="wrapper">
        <div class="site-intro" style="







height:50vh;
">
    
    <!-- 主页  -->
    
    
    <!-- 404页  -->
            
    <div class="site-intro-placeholder"></div>
    <div class="site-intro-img" style="background-image: url(https://cdn.jsdelivr.net/gh/ifonly-go2019/PicGo//images/20200825211012.jpg)"></div>
    <div class="site-intro-meta">
        <!-- 标题  -->
        <h1 class="intro-title">
            <!-- 主页  -->
            
            CTF Tricks 总结
            <!-- 404 -->
            
        </h1>
        <!-- 副标题 -->
        <p class="intro-subtitle">
            <!-- 主页副标题  -->
            
            
            <!-- 404 -->
            
        </p>
        <!-- 文章页meta -->
        
            <div class="post-intros">
                <!-- 文章页标签  -->
                
                    <div class= post-intro-tags >
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "CTF">CTF</a>
    
</div>
                
                
                    <div class="post-intro-read">
                        <span>Word count: <span class="post-count word-count">552</span>Reading time: <span class="post-count reading-time">2 min</span></span>
                    </div>
                
                <div class="post-intro-meta">
                    <span class="post-intro-calander iconfont-archer">&#xe676;</span>
                    <span class="post-intro-time">2020/08/27</span>
                    
                    <span id="busuanzi_container_page_pv" class="busuanzi-pv">
                        <span class="iconfont-archer">&#xe602;</span>
                        <span id="busuanzi_value_page_pv"></span>
                    </span>
                    
                    <span class="shareWrapper">
                        <span class="iconfont-archer shareIcon">&#xe71d;</span>
                        <span class="shareText">Share</span>
                        <ul class="shareList">
                            <li class="iconfont-archer share-qr" data-type="qr">&#xe75b;
                                <div class="share-qrcode"></div>
                            </li>
                            <li class="iconfont-archer" data-type="weibo">&#xe619;</li>
                            <li class="iconfont-archer" data-type="qzone">&#xe62e;</li>
                            <li class="iconfont-archer" data-type="twitter">&#xe634;</li>
                            <li class="iconfont-archer" data-type="facebook">&#xe67a;</li>
                        </ul>
                    </span>
                </div>
            </div>
        
    </div>
</div>
        <script>
 
  // get user agent
  var browser = {
    versions: function () {
      var u = window.navigator.userAgent;
      return {
        userAgent: u,
        trident: u.indexOf('Trident') > -1, //IE内核
        presto: u.indexOf('Presto') > -1, //opera内核
        webKit: u.indexOf('AppleWebKit') > -1, //苹果、谷歌内核
        gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1, //火狐内核
        mobile: !!u.match(/AppleWebKit.*Mobile.*/), //是否为移动终端
        ios: !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/), //ios终端
        android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android终端或者uc浏览器
        iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1, //是否为iPhone或者安卓QQ浏览器
        iPad: u.indexOf('iPad') > -1, //是否为iPad
        webApp: u.indexOf('Safari') == -1, //是否为web应用程序，没有头部与底部
        weixin: u.indexOf('MicroMessenger') == -1, //是否为微信浏览器
        uc: u.indexOf('UCBrowser') > -1 //是否为android下的UC浏览器
      };
    }()
  }
  console.log("userAgent:" + browser.versions.userAgent);

  // callback
  function fontLoaded() {
    console.log('font loaded');
    if (document.getElementsByClassName('site-intro-meta')) {
      document.getElementsByClassName('intro-title')[0].classList.add('intro-fade-in');
      document.getElementsByClassName('intro-subtitle')[0].classList.add('intro-fade-in');
      var postIntros = document.getElementsByClassName('post-intros')[0]
      if (postIntros) {
        postIntros.classList.add('post-fade-in');
      }
    }
  }

  // UC不支持跨域，所以直接显示
  function asyncCb(){
    if (browser.versions.uc) {
      console.log("UCBrowser");
      fontLoaded();
    } else {
      WebFont.load({
        custom: {
          families: ['Oswald-Regular']
        },
        loading: function () {  //所有字体开始加载
          // console.log('loading');
        },
        active: function () {  //所有字体已渲染
          fontLoaded();
        },
        inactive: function () { //字体预加载失败，无效字体或浏览器不支持加载
          console.log('inactive: timeout');
          fontLoaded();
        },
        timeout: 5000 // Set the timeout to two seconds
      });
    }
  }

  function asyncErr(){
    console.warn('script load from CDN failed, will load local script')
  }

  // load webfont-loader async, and add callback function
  function async(u, cb, err) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (cb) { o.addEventListener('load', function (e) { cb(null, e); }, false); }
    if (err) { o.addEventListener('error', function (e) { err(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }

  var asyncLoadWithFallBack = function(arr, success, reject) {
      var currReject = function(){
        reject()
        arr.shift()
        if(arr.length)
          async(arr[0], success, currReject)
        }

      async(arr[0], success, currReject)
  }

  asyncLoadWithFallBack([
    "https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js", 
    "https://cdn.bootcss.com/webfont/1.6.28/webfontloader.js",
    "/lib/webfontloader.min.js"
  ], asyncCb, asyncErr)
</script>        
        <img class="loading" src="/assets/loading.svg" style="display: block; margin: 6rem auto 0 auto; width: 6rem; height: 6rem;" />
        <div class="container container-unloaded">
            <main class="main post-page">
    <article class="article-entry">
        <p>[toc]</p>
<p>今天要回学校了，回学校也快考实验班了，我C 语言太菜，CTF 也很久没玩了。所以简单总结一下之前有遇到过的CTF 知识。慢慢补充细节和其他内容。</p>
<h1 id="脚本题-python、php"><a href="#脚本题-python、php" class="headerlink" title="脚本题(python、php)"></a>脚本题(python、php)</h1><h2 id="快速计算并发起HTTP-请求"><a href="#快速计算并发起HTTP-请求" class="headerlink" title="快速计算并发起HTTP 请求"></a>快速计算并发起HTTP 请求</h2><h2 id="快速处理数据"><a href="#快速处理数据" class="headerlink" title="快速处理数据"></a>快速处理数据</h2><h2 id="在大量数据中获取指定内容"><a href="#在大量数据中获取指定内容" class="headerlink" title="在大量数据中获取指定内容"></a>在大量数据中获取指定内容</h2><h2 id="php-伪随机数安全"><a href="#php-伪随机数安全" class="headerlink" title="php 伪随机数安全"></a>php 伪随机数安全</h2><p>比较常见的就是seed 爆破。</p>
<p><a target="_blank" rel="noopener" href="https://www.anquanke.com/post/id/215349">https://www.anquanke.com/post/id/215349</a></p>
<h2 id="加密算法可破解"><a href="#加密算法可破解" class="headerlink" title="加密算法可破解"></a>加密算法可破解</h2><h1 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h1><h2 id="反射型XSS"><a href="#反射型XSS" class="headerlink" title="反射型XSS"></a>反射型XSS</h2><h2 id="存储型XSS"><a href="#存储型XSS" class="headerlink" title="存储型XSS"></a>存储型XSS</h2><h2 id="DOM-XSS"><a href="#DOM-XSS" class="headerlink" title="DOM-XSS"></a>DOM-XSS</h2><h2 id="XSS-打cookie的姿势"><a href="#XSS-打cookie的姿势" class="headerlink" title="XSS 打cookie的姿势"></a>XSS 打cookie的姿势</h2><h2 id="bypass"><a href="#bypass" class="headerlink" title="bypass"></a>bypass</h2><h1 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h1><h1 id="XXE"><a href="#XXE" class="headerlink" title="XXE"></a>XXE</h1><h2 id="有回显XXE"><a href="#有回显XXE" class="headerlink" title="有回显XXE"></a>有回显XXE</h2><h2 id="blind-XXE"><a href="#blind-XXE" class="headerlink" title="blind XXE"></a>blind XXE</h2><h2 id="oob"><a href="#oob" class="headerlink" title="oob"></a>oob</h2><h2 id="bypass-1"><a href="#bypass-1" class="headerlink" title="bypass"></a>bypass</h2><h1 id="SSI"><a href="#SSI" class="headerlink" title="SSI"></a>SSI</h1><p>SSI 注入全称Server-Side Includes Injection，即服务端包含注入。SSI 是类似于 CGI，用于动态页面的指令。SSI 注入允许远程在 Web 应用中注入脚本来执行代码。</p>
<p>SSI是嵌入HTML页面中的指令，在页面被提供时由服务器进行运算，以对现有HTML页面增加动态生成的内容，而无须通过CGI程序提供其整个页面，或者使用其他动态技术。</p>
<h1 id="SSTI"><a href="#SSTI" class="headerlink" title="SSTI"></a>SSTI</h1><h2 id="Flask"><a href="#Flask" class="headerlink" title="Flask"></a>Flask</h2><h2 id="Twig"><a href="#Twig" class="headerlink" title="Twig"></a>Twig</h2><h2 id="Bypass"><a href="#Bypass" class="headerlink" title="Bypass"></a>Bypass</h2><h1 id="SQL-Injection"><a href="#SQL-Injection" class="headerlink" title="SQL Injection"></a>SQL Injection</h1><h2 id="普通注入"><a href="#普通注入" class="headerlink" title="普通注入"></a>普通注入</h2><h2 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h2><h2 id="二次注入"><a href="#二次注入" class="headerlink" title="二次注入"></a>二次注入</h2><h2 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h2><h2 id="读、写文件"><a href="#读、写文件" class="headerlink" title="读、写文件"></a>读、写文件</h2><h2 id="Oracle-mssql"><a href="#Oracle-mssql" class="headerlink" title="Oracle \ mssql"></a>Oracle \ mssql</h2><h2 id="bypass-2"><a href="#bypass-2" class="headerlink" title="bypass"></a>bypass</h2><h1 id="SSRF"><a href="#SSRF" class="headerlink" title="SSRF"></a>SSRF</h1><h2 id="SSRF-探测内网主机存活"><a href="#SSRF-探测内网主机存活" class="headerlink" title="SSRF 探测内网主机存活"></a>SSRF 探测内网主机存活</h2><h2 id="SSRF-文件读取"><a href="#SSRF-文件读取" class="headerlink" title="SSRF 文件读取"></a>SSRF 文件读取</h2><h1 id="RCE"><a href="#RCE" class="headerlink" title="RCE"></a>RCE</h1><h2 id="常规RCE"><a href="#常规RCE" class="headerlink" title="常规RCE"></a>常规RCE</h2><h2 id="Bypass-disable-functions"><a href="#Bypass-disable-functions" class="headerlink" title="Bypass disable_functions"></a>Bypass disable_functions</h2><h2 id="Bypass-open-basedir"><a href="#Bypass-open-basedir" class="headerlink" title="Bypass open_basedir"></a>Bypass open_basedir</h2><h2 id="无字母数字webshell"><a href="#无字母数字webshell" class="headerlink" title="无字母数字webshell"></a>无字母数字webshell</h2><p><a target="_blank" rel="noopener" href="https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html">https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html</a></p>
<h2 id="限制字符长度的RCE"><a href="#限制字符长度的RCE" class="headerlink" title="限制字符长度的RCE"></a>限制字符长度的RCE</h2><h2 id="无回显RCE、OOB"><a href="#无回显RCE、OOB" class="headerlink" title="无回显RCE、OOB"></a>无回显RCE、OOB</h2><p>ceye，dnslog、burp</p>
<h1 id="File-Inclusion-、Arbitary-File-Reading"><a href="#File-Inclusion-、Arbitary-File-Reading" class="headerlink" title="File Inclusion 、Arbitary File Reading"></a>File Inclusion 、Arbitary File Reading</h1><h2 id="日志文件包含"><a href="#日志文件包含" class="headerlink" title="日志文件包含"></a>日志文件包含</h2><h2 id="临时文件包含-php-session-文件包含-sess-token，upload-progress"><a href="#临时文件包含-php-session-文件包含-sess-token，upload-progress" class="headerlink" title="临时文件包含(php session 文件包含.. sess_token，upload_progress)"></a>临时文件包含(php session 文件包含.. sess_token，upload_progress)</h2><h2 id="远程文件包含"><a href="#远程文件包含" class="headerlink" title="远程文件包含"></a>远程文件包含</h2><h2 id="Tomcat-AJP-文件包含、文件读取漏洞"><a href="#Tomcat-AJP-文件包含、文件读取漏洞" class="headerlink" title="Tomcat AJP 文件包含、文件读取漏洞"></a>Tomcat AJP 文件包含、文件读取漏洞</h2><h1 id="File-Upload"><a href="#File-Upload" class="headerlink" title="File Upload"></a>File Upload</h1><h2 id="phar-文件上传GetShell"><a href="#phar-文件上传GetShell" class="headerlink" title="phar 文件上传GetShell"></a>phar 文件上传GetShell</h2><h2 id="图片马"><a href="#图片马" class="headerlink" title="图片马"></a>图片马</h2><h2 id="bypass的几种方法"><a href="#bypass的几种方法" class="headerlink" title="bypass的几种方法"></a>bypass的几种方法</h2><h1 id="信息泄露"><a href="#信息泄露" class="headerlink" title="信息泄露"></a>信息泄露</h1><h2 id="git-svn-DS-Store-bak-swp-php-zip-rar-xml-INF"><a href="#git-svn-DS-Store-bak-swp-php-zip-rar-xml-INF" class="headerlink" title=".git .svn .DS_Store .bak .swp .php~ .zip .rar .xml .INF"></a>.git .svn .DS_Store .bak .swp .php~ .zip .rar .xml .INF</h2><h2 id="配置文件泄露、-bash-history"><a href="#配置文件泄露、-bash-history" class="headerlink" title="配置文件泄露、.bash_history"></a>配置文件泄露、.bash_history</h2><h1 id="HTTP、HTTPS、分块传输"><a href="#HTTP、HTTPS、分块传输" class="headerlink" title="HTTP、HTTPS、分块传输"></a>HTTP、HTTPS、分块传输</h1><h2 id="302-跳转"><a href="#302-跳转" class="headerlink" title="302 跳转"></a>302 跳转</h2><h2 id="XFF-、Referer-、等常见HTTP-Header-知识点"><a href="#XFF-、Referer-、等常见HTTP-Header-知识点" class="headerlink" title="XFF 、Referer 、等常见HTTP Header 知识点"></a>XFF 、Referer 、等常见HTTP Header 知识点</h2><h2 id="分块传输"><a href="#分块传输" class="headerlink" title="分块传输"></a>分块传输</h2><h1 id="Serialize-unserialize-php-python-java"><a href="#Serialize-unserialize-php-python-java" class="headerlink" title="Serialize unserialize(php,python,java)"></a>Serialize unserialize(php,python,java)</h1><h2 id="wakeup-绕过"><a href="#wakeup-绕过" class="headerlink" title="__wakeup 绕过"></a>__wakeup 绕过</h2><h2 id="O-的-bypass"><a href="#O-的-bypass" class="headerlink" title=":O: 的 bypass"></a><code>:O:</code> 的 bypass</h2><h2 id="Phar-拓展反序列化攻击链"><a href="#Phar-拓展反序列化攻击链" class="headerlink" title="Phar 拓展反序列化攻击链"></a>Phar 拓展反序列化攻击链</h2><h2 id="字符串逃逸、对象逃逸"><a href="#字符串逃逸、对象逃逸" class="headerlink" title="字符串逃逸、对象逃逸"></a>字符串逃逸、对象逃逸</h2><h2 id="pop-链子构造"><a href="#pop-链子构造" class="headerlink" title="pop 链子构造"></a>pop 链子构造</h2><h2 id="python-pickle库-反序列化"><a href="#python-pickle库-反序列化" class="headerlink" title="python pickle库 反序列化"></a>python pickle库 反序列化</h2><h2 id="Java-Weblogic-Shiro-等各种反序列化漏洞"><a href="#Java-Weblogic-Shiro-等各种反序列化漏洞" class="headerlink" title="Java Weblogic\Shiro\等各种反序列化漏洞"></a>Java Weblogic\Shiro\等各种反序列化漏洞</h2><h1 id="nodejs"><a href="#nodejs" class="headerlink" title="nodejs"></a>nodejs</h1><h2 id="Vm2-逃逸"><a href="#Vm2-逃逸" class="headerlink" title="Vm2 逃逸"></a>Vm2 逃逸</h2><h2 id="safe-eval"><a href="#safe-eval" class="headerlink" title="safe-eval"></a>safe-eval</h2><h2 id="jwt-token-伪造"><a href="#jwt-token-伪造" class="headerlink" title="jwt token 伪造"></a>jwt token 伪造</h2><h2 id="nodejs代码审计"><a href="#nodejs代码审计" class="headerlink" title="nodejs代码审计"></a>nodejs代码审计</h2><h1 id="DeBug-模式情况下存在的漏洞情景"><a href="#DeBug-模式情况下存在的漏洞情景" class="headerlink" title="DeBug 模式情况下存在的漏洞情景"></a>DeBug 模式情况下存在的漏洞情景</h1><h2 id="python-Flask-Debug-Mode-pin-码导致利用popen-RCE"><a href="#python-Flask-Debug-Mode-pin-码导致利用popen-RCE" class="headerlink" title="python Flask Debug Mode pin 码导致利用popen RCE"></a>python Flask Debug Mode pin 码导致利用popen RCE</h2><h1 id="第三方库安全"><a href="#第三方库安全" class="headerlink" title="第三方库安全"></a>第三方库安全</h1><h2 id="Fastjson-RCE"><a href="#Fastjson-RCE" class="headerlink" title="Fastjson RCE"></a>Fastjson RCE</h2><h2 id="Shiro-RememberMe-Cookie-处的-RCE-身份鉴权绕过"><a href="#Shiro-RememberMe-Cookie-处的-RCE-身份鉴权绕过" class="headerlink" title="Shiro RememberMe Cookie 处的 RCE \ 身份鉴权绕过"></a>Shiro RememberMe Cookie 处的 RCE \ 身份鉴权绕过</h2><h2 id="Struts2"><a href="#Struts2" class="headerlink" title="Struts2"></a>Struts2</h2><h2 id="Redis-主从复制RCE-未授权-、gopher-dict-协议的利用"><a href="#Redis-主从复制RCE-未授权-、gopher-dict-协议的利用" class="headerlink" title="Redis 主从复制RCE \ 未授权 、gopher dict 协议的利用"></a>Redis 主从复制RCE \ 未授权 、gopher dict 协议的利用</h2><h2 id=""><a href="#" class="headerlink" title=""></a></h2>
    </article>
    <!-- license  -->
    
        <div class="license-wrapper">
            <p>Author：<a href="https://hack-for.fun">m0nk3y</a>
            <p>原文链接：<a href="https://hack-for.fun/a4738b93.html">https://hack-for.fun/a4738b93.html</a>
            <p>发表日期：<a href="https://hack-for.fun/a4738b93.html">August 27th 2020, 11:06:06 am</a>
            <p>更新日期：<a href="https://hack-for.fun/a4738b93.html">August 29th 2020, 10:28:42 am</a>
            <p>版权声明：<b>原创文章转载时请注明出处</b></p>
        </div>
    
    <!-- paginator  -->
    <ul class="post-paginator">
        <li class="next">
            
                <div class="nextSlogan">Next Post</div>
                <a href= "/bc077bb7.html" title= "HTTP request smuggling(请求走私)">
                    <div class="nextTitle">HTTP request smuggling(请求走私)</div>
                </a>
            
        </li>
        <li class="previous">
            
                <div class="prevSlogan">Previous Post</div>
                <a href= "/13bb2df2.html" title= "iptables 学习">
                    <div class="prevTitle">iptables 学习</div>
                </a>
            
        </li>
    </ul>
    <!-- 评论插件 -->
    <!-- 来必力City版安装代码 -->

<!-- City版安装代码已完成 -->
    
    
    <!-- gitalk评论 -->

    <!-- utteranc评论 -->

    <!-- partial('_partial/comment/changyan') -->
    <!--PC版-->


    
    

    <!-- 评论 -->
</main>
            <!-- profile -->
            
        </div>
        <footer class="footer footer-unloaded">
    <!-- social  -->
    
    <div class="social">
        
    
        
            
                <a href="mailto:ifonlysec@gmail.com" class="iconfont-archer email" title=email ></a>
            
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
            
                <a href="/atom.xml" class="iconfont-archer rss" target="_blank" title=rss></a>
            
        
    

    </div>
    
    <!-- powered by Hexo  -->
    <div class="copyright">
        <span id="hexo-power">Powered by <a href="https://hexo.io/" target="_blank">Hexo</a></span><span class="iconfont-archer power">&#xe635;</span><span id="theme-info">theme <a href="https://github.com/fi3ework/hexo-theme-archer" target="_blank">Archer</a></span>
    </div>
    <!-- 不蒜子  -->
    
    <div class="busuanzi-container">
    
    
    <span id="busuanzi_container_site_uv">累计访客量: <span id="busuanzi_value_site_uv"></span> </span>
    
    </div>
    
</footer>
    </div>
    <!-- toc -->
    
    <div class="toc-wrapper" style=
    







top:50vh;

    >
        <div class="toc-catalog">
            <span class="iconfont-archer catalog-icon">&#xe613;</span><span>CATALOG</span>
        </div>
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#%E8%84%9A%E6%9C%AC%E9%A2%98-python%E3%80%81php"><span class="toc-number">1.</span> <span class="toc-text">脚本题(python、php)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BF%AB%E9%80%9F%E8%AE%A1%E7%AE%97%E5%B9%B6%E5%8F%91%E8%B5%B7HTTP-%E8%AF%B7%E6%B1%82"><span class="toc-number">1.1.</span> <span class="toc-text">快速计算并发起HTTP 请求</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%BF%AB%E9%80%9F%E5%A4%84%E7%90%86%E6%95%B0%E6%8D%AE"><span class="toc-number">1.2.</span> <span class="toc-text">快速处理数据</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%9C%A8%E5%A4%A7%E9%87%8F%E6%95%B0%E6%8D%AE%E4%B8%AD%E8%8E%B7%E5%8F%96%E6%8C%87%E5%AE%9A%E5%86%85%E5%AE%B9"><span class="toc-number">1.3.</span> <span class="toc-text">在大量数据中获取指定内容</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#php-%E4%BC%AA%E9%9A%8F%E6%9C%BA%E6%95%B0%E5%AE%89%E5%85%A8"><span class="toc-number">1.4.</span> <span class="toc-text">php 伪随机数安全</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%8A%A0%E5%AF%86%E7%AE%97%E6%B3%95%E5%8F%AF%E7%A0%B4%E8%A7%A3"><span class="toc-number">1.5.</span> <span class="toc-text">加密算法可破解</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#XSS"><span class="toc-number">2.</span> <span class="toc-text">XSS</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%8F%8D%E5%B0%84%E5%9E%8BXSS"><span class="toc-number">2.1.</span> <span class="toc-text">反射型XSS</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%AD%98%E5%82%A8%E5%9E%8BXSS"><span class="toc-number">2.2.</span> <span class="toc-text">存储型XSS</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#DOM-XSS"><span class="toc-number">2.3.</span> <span class="toc-text">DOM-XSS</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#XSS-%E6%89%93cookie%E7%9A%84%E5%A7%BF%E5%8A%BF"><span class="toc-number">2.4.</span> <span class="toc-text">XSS 打cookie的姿势</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#bypass"><span class="toc-number">2.5.</span> <span class="toc-text">bypass</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#CSRF"><span class="toc-number">3.</span> <span class="toc-text">CSRF</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#XXE"><span class="toc-number">4.</span> <span class="toc-text">XXE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%9C%89%E5%9B%9E%E6%98%BEXXE"><span class="toc-number">4.1.</span> <span class="toc-text">有回显XXE</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#blind-XXE"><span class="toc-number">4.2.</span> <span class="toc-text">blind XXE</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#oob"><span class="toc-number">4.3.</span> <span class="toc-text">oob</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#bypass-1"><span class="toc-number">4.4.</span> <span class="toc-text">bypass</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SSI"><span class="toc-number">5.</span> <span class="toc-text">SSI</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SSTI"><span class="toc-number">6.</span> <span class="toc-text">SSTI</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#Flask"><span class="toc-number">6.1.</span> <span class="toc-text">Flask</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Twig"><span class="toc-number">6.2.</span> <span class="toc-text">Twig</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Bypass"><span class="toc-number">6.3.</span> <span class="toc-text">Bypass</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL-Injection"><span class="toc-number">7.</span> <span class="toc-text">SQL Injection</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%99%AE%E9%80%9A%E6%B3%A8%E5%85%A5"><span class="toc-number">7.1.</span> <span class="toc-text">普通注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5"><span class="toc-number">7.2.</span> <span class="toc-text">报错注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%BA%8C%E6%AC%A1%E6%B3%A8%E5%85%A5"><span class="toc-number">7.3.</span> <span class="toc-text">二次注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E7%9B%B2%E6%B3%A8"><span class="toc-number">7.4.</span> <span class="toc-text">盲注</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%AF%BB%E3%80%81%E5%86%99%E6%96%87%E4%BB%B6"><span class="toc-number">7.5.</span> <span class="toc-text">读、写文件</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Oracle-mssql"><span class="toc-number">7.6.</span> <span class="toc-text">Oracle \ mssql</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#bypass-2"><span class="toc-number">7.7.</span> <span class="toc-text">bypass</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SSRF"><span class="toc-number">8.</span> <span class="toc-text">SSRF</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#SSRF-%E6%8E%A2%E6%B5%8B%E5%86%85%E7%BD%91%E4%B8%BB%E6%9C%BA%E5%AD%98%E6%B4%BB"><span class="toc-number">8.1.</span> <span class="toc-text">SSRF 探测内网主机存活</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#SSRF-%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96"><span class="toc-number">8.2.</span> <span class="toc-text">SSRF 文件读取</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#RCE"><span class="toc-number">9.</span> <span class="toc-text">RCE</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%B8%B8%E8%A7%84RCE"><span class="toc-number">9.1.</span> <span class="toc-text">常规RCE</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Bypass-disable-functions"><span class="toc-number">9.2.</span> <span class="toc-text">Bypass disable_functions</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Bypass-open-basedir"><span class="toc-number">9.3.</span> <span class="toc-text">Bypass open_basedir</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%97%A0%E5%AD%97%E6%AF%8D%E6%95%B0%E5%AD%97webshell"><span class="toc-number">9.4.</span> <span class="toc-text">无字母数字webshell</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E9%99%90%E5%88%B6%E5%AD%97%E7%AC%A6%E9%95%BF%E5%BA%A6%E7%9A%84RCE"><span class="toc-number">9.5.</span> <span class="toc-text">限制字符长度的RCE</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%97%A0%E5%9B%9E%E6%98%BERCE%E3%80%81OOB"><span class="toc-number">9.6.</span> <span class="toc-text">无回显RCE、OOB</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#File-Inclusion-%E3%80%81Arbitary-File-Reading"><span class="toc-number">10.</span> <span class="toc-text">File Inclusion 、Arbitary File Reading</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%97%A5%E5%BF%97%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB"><span class="toc-number">10.1.</span> <span class="toc-text">日志文件包含</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%B4%E6%97%B6%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB-php-session-%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB-sess-token%EF%BC%8Cupload-progress"><span class="toc-number">10.2.</span> <span class="toc-text">临时文件包含(php session 文件包含.. sess_token，upload_progress)</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E8%BF%9C%E7%A8%8B%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB"><span class="toc-number">10.3.</span> <span class="toc-text">远程文件包含</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Tomcat-AJP-%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E3%80%81%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E"><span class="toc-number">10.4.</span> <span class="toc-text">Tomcat AJP 文件包含、文件读取漏洞</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#File-Upload"><span class="toc-number">11.</span> <span class="toc-text">File Upload</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#phar-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0GetShell"><span class="toc-number">11.1.</span> <span class="toc-text">phar 文件上传GetShell</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%9B%BE%E7%89%87%E9%A9%AC"><span class="toc-number">11.2.</span> <span class="toc-text">图片马</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#bypass%E7%9A%84%E5%87%A0%E7%A7%8D%E6%96%B9%E6%B3%95"><span class="toc-number">11.3.</span> <span class="toc-text">bypass的几种方法</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2"><span class="toc-number">12.</span> <span class="toc-text">信息泄露</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#git-svn-DS-Store-bak-swp-php-zip-rar-xml-INF"><span class="toc-number">12.1.</span> <span class="toc-text">.git .svn .DS_Store .bak .swp .php~ .zip .rar .xml .INF</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6%E6%B3%84%E9%9C%B2%E3%80%81-bash-history"><span class="toc-number">12.2.</span> <span class="toc-text">配置文件泄露、.bash_history</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#HTTP%E3%80%81HTTPS%E3%80%81%E5%88%86%E5%9D%97%E4%BC%A0%E8%BE%93"><span class="toc-number">13.</span> <span class="toc-text">HTTP、HTTPS、分块传输</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#302-%E8%B7%B3%E8%BD%AC"><span class="toc-number">13.1.</span> <span class="toc-text">302 跳转</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#XFF-%E3%80%81Referer-%E3%80%81%E7%AD%89%E5%B8%B8%E8%A7%81HTTP-Header-%E7%9F%A5%E8%AF%86%E7%82%B9"><span class="toc-number">13.2.</span> <span class="toc-text">XFF 、Referer 、等常见HTTP Header 知识点</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%88%86%E5%9D%97%E4%BC%A0%E8%BE%93"><span class="toc-number">13.3.</span> <span class="toc-text">分块传输</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#Serialize-unserialize-php-python-java"><span class="toc-number">14.</span> <span class="toc-text">Serialize unserialize(php,python,java)</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#wakeup-%E7%BB%95%E8%BF%87"><span class="toc-number">14.1.</span> <span class="toc-text">__wakeup 绕过</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#O-%E7%9A%84-bypass"><span class="toc-number">14.2.</span> <span class="toc-text">:O: 的 bypass</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Phar-%E6%8B%93%E5%B1%95%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%94%BB%E5%87%BB%E9%93%BE"><span class="toc-number">14.3.</span> <span class="toc-text">Phar 拓展反序列化攻击链</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E5%AD%97%E7%AC%A6%E4%B8%B2%E9%80%83%E9%80%B8%E3%80%81%E5%AF%B9%E8%B1%A1%E9%80%83%E9%80%B8"><span class="toc-number">14.4.</span> <span class="toc-text">字符串逃逸、对象逃逸</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#pop-%E9%93%BE%E5%AD%90%E6%9E%84%E9%80%A0"><span class="toc-number">14.5.</span> <span class="toc-text">pop 链子构造</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#python-pickle%E5%BA%93-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96"><span class="toc-number">14.6.</span> <span class="toc-text">python pickle库 反序列化</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Java-Weblogic-Shiro-%E7%AD%89%E5%90%84%E7%A7%8D%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E"><span class="toc-number">14.7.</span> <span class="toc-text">Java Weblogic\Shiro\等各种反序列化漏洞</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#nodejs"><span class="toc-number">15.</span> <span class="toc-text">nodejs</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#Vm2-%E9%80%83%E9%80%B8"><span class="toc-number">15.1.</span> <span class="toc-text">Vm2 逃逸</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#safe-eval"><span class="toc-number">15.2.</span> <span class="toc-text">safe-eval</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#jwt-token-%E4%BC%AA%E9%80%A0"><span class="toc-number">15.3.</span> <span class="toc-text">jwt token 伪造</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#nodejs%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1"><span class="toc-number">15.4.</span> <span class="toc-text">nodejs代码审计</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#DeBug-%E6%A8%A1%E5%BC%8F%E6%83%85%E5%86%B5%E4%B8%8B%E5%AD%98%E5%9C%A8%E7%9A%84%E6%BC%8F%E6%B4%9E%E6%83%85%E6%99%AF"><span class="toc-number">16.</span> <span class="toc-text">DeBug 模式情况下存在的漏洞情景</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#python-Flask-Debug-Mode-pin-%E7%A0%81%E5%AF%BC%E8%87%B4%E5%88%A9%E7%94%A8popen-RCE"><span class="toc-number">16.1.</span> <span class="toc-text">python Flask Debug Mode pin 码导致利用popen RCE</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E7%AC%AC%E4%B8%89%E6%96%B9%E5%BA%93%E5%AE%89%E5%85%A8"><span class="toc-number">17.</span> <span class="toc-text">第三方库安全</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#Fastjson-RCE"><span class="toc-number">17.1.</span> <span class="toc-text">Fastjson RCE</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Shiro-RememberMe-Cookie-%E5%A4%84%E7%9A%84-RCE-%E8%BA%AB%E4%BB%BD%E9%89%B4%E6%9D%83%E7%BB%95%E8%BF%87"><span class="toc-number">17.2.</span> <span class="toc-text">Shiro RememberMe Cookie 处的 RCE \ 身份鉴权绕过</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Struts2"><span class="toc-number">17.3.</span> <span class="toc-text">Struts2</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Redis-%E4%B8%BB%E4%BB%8E%E5%A4%8D%E5%88%B6RCE-%E6%9C%AA%E6%8E%88%E6%9D%83-%E3%80%81gopher-dict-%E5%8D%8F%E8%AE%AE%E7%9A%84%E5%88%A9%E7%94%A8"><span class="toc-number">17.4.</span> <span class="toc-text">Redis 主从复制RCE \ 未授权 、gopher dict 协议的利用</span></a></li><li class="toc-item toc-level-2"><a class="toc-link"><span class="toc-number">17.5.</span> <span class="toc-text"></span></a></li></ol></li></ol>
    </div>
    
    <div class="back-top iconfont-archer">&#xe639;</div>
    <div class="sidebar sidebar-hide">
    <ul class="sidebar-tabs sidebar-tabs-active-0">
        <li class="sidebar-tab-archives"><span class="iconfont-archer">&#xe67d;</span><span class="tab-name">Archive</span></li>
        <li class="sidebar-tab-tags"><span class="iconfont-archer">&#xe61b;</span><span class="tab-name">Tag</span></li>
        <li class="sidebar-tab-categories"><span class="iconfont-archer">&#xe666;</span><span class="tab-name">Cate</span></li>
    </ul>
    <div class="sidebar-content sidebar-content-show-archive">
          <div class="sidebar-panel-archives">
    <!-- 在ejs中将archive按照时间排序 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    <div class="total-and-search">
        <div class="total-archive">
        Total : 22
        </div>
        <!-- search  -->
        
    </div>
    
    <div class="post-archive">
    
    
    
    
    <div class="archive-year"> 2020 </div>
    <ul class="year-list">
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/23</span><a class="archive-post-title" href= "/a45.html" >ThinkPHP5漏洞学习-RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/22</span><a class="archive-post-title" href= "/5dcc.html" >CSS 注入学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/21</span><a class="archive-post-title" href= "/0.html" >《透视APT》读书笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/16</span><a class="archive-post-title" href= "/8d0f.html" >ThinkPHP5漏洞学习-文件包含漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/13</span><a class="archive-post-title" href= "/69fea760.html" >ThinkPHP5漏洞学习-SQL注入</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/12</span><a class="archive-post-title" href= "/844d1b07.html" >新秀企业网站系统代码审计学习(复现)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/4fd81e40.html" >MacOS 下配置PHP代码审计环境，PHP调试学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/11</span><a class="archive-post-title" href= "/66043e4c.html" >WAF Bypass 姿势总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/09</span><a class="archive-post-title" href= "/fb2051a0.html" >CTF-XSS</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/936f84c6.html" >CTF-SSTI</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/07</span><a class="archive-post-title" href= "/54449ea6.html" >Windows 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/04</span><a class="archive-post-title" href= "/e312198e.html" >Linux 服务器应急响应</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/03</span><a class="archive-post-title" href= "/7881c78e.html" >CTF - 文件包含</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/dbb484a9.html" >CTF - RCE</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/30</span><a class="archive-post-title" href= "/103ec22a.html" >CTF - 文件上传</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/29</span><a class="archive-post-title" href= "/bc077bb7.html" >HTTP request smuggling(请求走私)</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/27</span><a class="archive-post-title" href= "/a4738b93.html" >CTF Tricks 总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/13bb2df2.html" >iptables 学习</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/c10c5ca9.html" >Redis 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/26</span><a class="archive-post-title" href= "/e42fccb.html" >常见端口服务漏洞</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/56cfbe5.html" >PHP CVE、ThinkPHP、PhpMyAdmin、PHP 安全学习笔记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/25</span><a class="archive-post-title" href= "/d8714939.html" >PHP以及MYSQL相关版本差异及对应的安全问</a>
        </li>
    
    </div>
  </div>
        <div class="sidebar-panel-tags">
    <div class="sidebar-tags-name">
    
        <span class="sidebar-tag-name" data-tags="渗透测试"><span class="iconfont-archer">&#xe606;</span>渗透测试</span>
    
        <span class="sidebar-tag-name" data-tags="CTF"><span class="iconfont-archer">&#xe606;</span>CTF</span>
    
        <span class="sidebar-tag-name" data-tags="SSTI"><span class="iconfont-archer">&#xe606;</span>SSTI</span>
    
        <span class="sidebar-tag-name" data-tags="协议层安全"><span class="iconfont-archer">&#xe606;</span>协议层安全</span>
    
        <span class="sidebar-tag-name" data-tags="PHP安全"><span class="iconfont-archer">&#xe606;</span>PHP安全</span>
    
        <span class="sidebar-tag-name" data-tags="代码审计"><span class="iconfont-archer">&#xe606;</span>代码审计</span>
    
        <span class="sidebar-tag-name" data-tags="文件包含"><span class="iconfont-archer">&#xe606;</span>文件包含</span>
    
        <span class="sidebar-tag-name" data-tags="Linux应急响应"><span class="iconfont-archer">&#xe606;</span>Linux应急响应</span>
    
        <span class="sidebar-tag-name" data-tags="端口"><span class="iconfont-archer">&#xe606;</span>端口</span>
    
        <span class="sidebar-tag-name" data-tags="漏洞挖掘"><span class="iconfont-archer">&#xe606;</span>漏洞挖掘</span>
    
        <span class="sidebar-tag-name" data-tags="SQL注入"><span class="iconfont-archer">&#xe606;</span>SQL注入</span>
    
        <span class="sidebar-tag-name" data-tags="iptables"><span class="iconfont-archer">&#xe606;</span>iptables</span>
    
        <span class="sidebar-tag-name" data-tags="APT"><span class="iconfont-archer">&#xe606;</span>APT</span>
    
        <span class="sidebar-tag-name" data-tags="RCE"><span class="iconfont-archer">&#xe606;</span>RCE</span>
    
        <span class="sidebar-tag-name" data-tags="Redis"><span class="iconfont-archer">&#xe606;</span>Redis</span>
    
    </div>
    <div class="iconfont-archer sidebar-tags-empty">&#xe678;</div>
    <div class="tag-load-fail" style="display: none; color: #ccc; font-size: 0.6rem;">
    缺失模块。<br/>
    1、请确保node版本大于6.2<br/>
    2、在博客根目录（注意不是archer根目录）执行以下命令：<br/>
    <span style="color: #f75357; font-size: 1rem; line-height: 2rem;">npm i hexo-generator-json-content --save</span><br/>
    3、在根目录_config.yml里添加配置：
    <pre style="color: #787878; font-size: 0.6rem;">
jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true</pre>
    </div> 
    <div class="sidebar-tags-list"></div>
</div>
        <div class="sidebar-panel-categories">
    <div class="sidebar-categories-name">
    
        <span class="sidebar-category-name" data-categories="CTF"><span class="iconfont-archer">&#xe60a;</span>CTF</span>
    
        <span class="sidebar-category-name" data-categories="渗透测试"><span class="iconfont-archer">&#xe60a;</span>渗透测试</span>
    
        <span class="sidebar-category-name" data-categories="运维知识"><span class="iconfont-archer">&#xe60a;</span>运维知识</span>
    
    </div>
    <div class="iconfont-archer sidebar-categories-empty">&#xe678;</div>
    <div class="sidebar-categories-list"></div>
</div>
    </div>
</div> 
    <script>
    var siteMeta = {
        root: "/",
        author: "m0nk3y"
    }
</script>
    <!-- CDN failover -->
    <script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js"></script>
    <script type="text/javascript">
        if (typeof window.$ === 'undefined')
        {
            console.warn('jquery load from jsdelivr failed, will load local script')
            document.write('<script src="/lib/jquery.min.js">\x3C/script>')
        }
    </script>
    <script src="/scripts/main.js"></script>
    <!-- algolia -->
    
    <!-- busuanzi  -->
    
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    
    <!-- CNZZ  -->
    
    </div>
    <!-- async load share.js -->
    
        <script src="/scripts/share.js" async></script>    
     
    </body>
</html>


